Merge branch 'PHP-5.5' of git.php.net:php-src into PHP-5.5

* 'PHP-5.5' of git.php.net:php-src:
  Use zend_error_noreturn here
  Add Tests for #65784 in 5.5
  Disallowed JMP into a finally block.
  Update NEWS for 5.5.7 release

3 files changed, 78 insertions, 6 deletions

diff --git a/NEWS b/NEWS
index 12132d16b4..d9dcac91a5 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2013, PHP 5.5.8
 
 - Core:
+  . Disallowed JMP into a finally block. (Laruence)
   . Added validation of class names in the autoload process. (Dmitry)
   . Fixed invalid C code in zend_strtod.c. (Lior Kaplan)
   . Fixed bug #66041 (list() fails to unpack yielded ArrayAccess object).
@@ -41,7 +42,7 @@ PHP                                                                        NEWS
   . Fixed bug #49634 (Segfault throwing an exception in a XSL registered
     function). (Mike)
 
-?? ??? 2013, PHP 5.5.7
+12 Dec 2013, PHP 5.5.7
 
 - CLI server:
   . Added some MIME types to the CLI web server (Chris Jones)
@@ -62,6 +63,10 @@ PHP                                                                        NEWS
 - readline
   . Fixed Bug #65714 (PHP cli forces the tty to cooked mode). (Remi)
 
+- Openssl:
+  . Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420).
+    (Stefan Esser).
+
 14 Nov 2013, PHP 5.5.6
 
 - Core:
diff --git a/Zend/tests/bug65784.phpt b/Zend/tests/bug65784.phpt
new file mode 100644
index 0000000000..adc34113a5
--- /dev/null
+++ b/Zend/tests/bug65784.phpt
@@ -0,0 +1,62 @@
+--TEST--
+Fixed Bug #65784 (Segfault with finally)
+--XFAIL--
+This bug is not fixed in 5.5 due to ABI BC
+--FILE--
+<?php
+function foo1() {
+	try {
+		throw new Exception("not catch");
+		return true;
+	} finally {
+		try {
+			throw new Exception("catched");
+		} catch (Exception $e) {
+		}
+	}
+}
+try {
+	$foo = foo1();
+	var_dump($foo);
+} catch (Exception $e) {
+	do {
+		var_dump($e->getMessage());
+	} while ($e = $e->getPrevious());
+}
+
+function foo2() {
+	try  {
+		try {
+			throw new Exception("catched");
+			return true;
+		} finally {
+			try {
+				throw new Exception("catched");
+			} catch (Exception $e) {
+			}
+		}
+	} catch (Exception $e) {
+	}
+}
+
+$foo = foo2();
+var_dump($foo);
+
+function foo3() {
+	try {
+		throw new Exception("not catched");
+		return true;
+	} finally {
+		try {
+			throw new NotExists();
+		} catch (Exception $e) {
+		}
+	}
+}
+
+$bar = foo3();
+--EXPECTF--
+string(9) "not catch"
+NULL
+
+Fatal error: Class 'NotExists' not found in %sbug65784.php on line %d
diff --git a/Zend/zend_opcode.c b/Zend/zend_opcode.c
index 41b4bd2571..2dfa9848b6 100644
--- a/Zend/zend_opcode.c
+++ b/Zend/zend_opcode.c
@@ -489,17 +489,22 @@ static void zend_check_finally_breakout(zend_op_array *op_array, zend_uint op_nu
 	zend_uint i;
 
 	for (i = 0; i < op_array->last_try_catch; i++) {
-		if (op_array->try_catch_array[i].try_op > op_num) {
-			break;
-		}
-		if ((op_num >= op_array->try_catch_array[i].finally_op 
+		if ((op_num < op_array->try_catch_array[i].finally_op ||
+					op_num >= op_array->try_catch_array[i].finally_end)
+				&& (dst_num >= op_array->try_catch_array[i].finally_op &&
+					 dst_num <= op_array->try_catch_array[i].finally_end)) {
+			CG(in_compilation) = 1;
+			CG(active_op_array) = op_array;
+			CG(zend_lineno) = op_array->opcodes[op_num].lineno;
+			zend_error_noreturn(E_COMPILE_ERROR, "jump into a finally block is disallowed");
+		} else if ((op_num >= op_array->try_catch_array[i].finally_op 
 					&& op_num <= op_array->try_catch_array[i].finally_end)
 				&& (dst_num > op_array->try_catch_array[i].finally_end 
 					|| dst_num < op_array->try_catch_array[i].finally_op)) {
 			CG(in_compilation) = 1;
 			CG(active_op_array) = op_array;
 			CG(zend_lineno) = op_array->opcodes[op_num].lineno;
-			zend_error(E_COMPILE_ERROR, "jump out of a finally block is disallowed");
+			zend_error_noreturn(E_COMPILE_ERROR, "jump out of a finally block is disallowed");
 		}
 	} 
 }